aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* sqlite: Use our locking mechanism also when sqlite3_threadsafe() returns 0Martin Willi2015-04-131-7/+20
| | | | | | We previously checked for older library versions without locking support at all. But newer libraries can be built in single-threading mode as well, where we have to care about the locking.
* sqlite: Show SQLite library version and thread safety flag during startupMartin Willi2015-04-131-1/+8
|
* vici: Defer read/write error reporting after connection entry has been releasedMartin Willi2015-04-131-12/+34
| | | | | | | | | | | | | | | | If a vici client registered for (control-)log events, but a vici read/write operation fails, this may result in a deadlock. The attempt to write to the bus results in a vici log message, which in turn tries to acquire the lock for the entry currently held. While a recursive lock could help as well for a single thread, there is still a risk of inter-thread races if there is more than one thread listening for events and/or having read/write errors. We instead log to a local buffer, and write to the bus not before the connection entry has been released. Additionally, we mark the connection entry as unusable to avoid writing to the failed socket again, potentially triggering an error loop.
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-135-12/+34
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* iv-gen: Add a generic constructor to create an IV gen from an algorithmMartin Willi2015-04-134-2/+71
|
* openssl: Don't pre-initialize OpenSSL HMAC with an empty keyMartin Willi2015-04-131-6/+16
| | | | | | | | | | With OpenSSL commit 929b0d70c19f60227f89fac63f22a21f21950823 setting an empty key fails if no previous key has been set on that HMAC. In 9138f49e we explicitly added the check we remove now, as HMAC_Update() might crash if HMAC_Init_ex() has not been called yet. To avoid that, we set and check a flag locally to let any get_mac() call fail if set_key() has not yet been called.
* thread: Remove unneeded thread startup synchronizationMartin Willi2015-04-131-13/+4
| | | | | | | | | | | sem_init() is deprecated on OS X, and it actually fails with ENOSYS. Using our wrapped semaphore object is not an option, as it relies on the thread cleanup that we can't rely on at this stage. It is unclear why startup synchronization is required, as we can allocate the thread ID just before creating the pthread. There is a chance that we allocate a thread ID for a thread that fails to create, but the risk and consequences are negligible.
* libsimaka: Link against Winsock2 on WindowsMartin Willi2015-04-131-0/+4
| | | | The library makes use of htons/ntohs().
* fips-prf: Remove superfluous <arpa/inet.h> includeMartin Willi2015-04-131-2/+0
| | | | | As we make no use of htonl() and friends, this is unneeded, but actually prevents a Windows build.
* kernel-netlink: Fix GCC error about uninitialized variable useMartin Willi2015-04-081-1/+1
| | | | | get_replay_state() always returns a replay_state_len when returning a replay state, but GCC doesn't know about that.
* asn1: Undefine TIME_UTC, which is used by C11Martin Willi2015-04-081-0/+4
| | | | | When building with C11 support, TIME_UTC is used for timespec_get() and defined in <time.h>. Undefine TIME_UTC for our own internal use in asn1.c.
* Wipe auxiliary key store5.3.0Andreas Steffen2015-03-281-1/+1
|
* crypto-tester: Explicitly exclude FIPS-PRF from append mode testsMartin Willi2015-03-281-8/+11
| | | | | This was implicitly done by the seed length check before 58dda5d6, but we now require an explicit check to avoid that unsupported use.
* fips-prf: Fail when trying to use append mode on FIPS-PRFMartin Willi2015-03-281-1/+6
| | | | | Append mode hardly makes sense for the special stateful FIPS-PRF, which is different to other PRFs.
* Added PB-TNC test options to strongswan.conf man pageAndreas Steffen2015-03-271-0/+6
|
* Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenariosAndreas Steffen2015-03-2738-8/+582
|
* Version bump to 5.3.0Andreas Steffen2015-03-271-1/+1
|
* Fixed PB-TNC error handlingAndreas Steffen2015-03-274-35/+32
|
* Added configurations for 3.18 and 3.19 KMV guest kernelsAndreas Steffen2015-03-272-0/+4346
|
* Fixed strongswan.conf man page entry of imc-attestationAndreas Steffen2015-03-272-18/+18
|
* Added tnc/tnccs-20-pt-tls scenarioAndreas Steffen2015-03-2724-5/+114
|
* cmac: Reset state before doing set_key()Martin Willi2015-03-271-0/+3
|
* af-alg: Reset hmac/xcbc state before doing set_key()Martin Willi2015-03-272-0/+2
|
* xcbc: Reset XCBC state in set_key()Martin Willi2015-03-271-0/+4
| | | | | If some partial data has been appended, a truncated key gets invalid if it is calculated from the pending state.
* hmac: Reset the underlying hasher before doing set_key() with longer keysMartin Willi2015-03-271-1/+2
| | | | | | | The user might have done a non-complete append, having some state in the hasher. Fixes #909.
* crypto-tester: Test set_key() after a doing a partial append on prf/signersMartin Willi2015-03-271-2/+20
| | | | | While that use is uncommon in real-world use, nonetheless should HMAC set a correct key and reset any underlying hasher.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* eap-tnc: Free eap-tnc object if IKE_SA not found to get IPsTobias Brunner2015-03-251-0/+1
|
* tnccs-20: Fix error handling in build()Tobias Brunner2015-03-251-9/+5
|
* android: Add messages/ita directory to tnccs-20 pluginTobias Brunner2015-03-251-1/+1
|
* android: Sync libstrongswan Makefile.am and Android.mkTobias Brunner2015-03-251-0/+1
|
* libtnccs: Set apidoc category to libtnccs and move pluginsTobias Brunner2015-03-2510-11/+14
|
* libtnccs: Fix apidoc category for split IF-TNCCS 2.0 header filesTobias Brunner2015-03-253-5/+5
| | | | | Fixes 80322d2cee75 ("Split IF-TNCCS 2.0 protocol processing into separate TNC client and server handlers").
* Fixed some typos, courtesy of codespellTobias Brunner2015-03-253-3/+3
|
* kernel-netlink: Copy current usage stats to new SA in update_sa()Tobias Brunner2015-03-251-6/+34
| | | | | | | | | | | | This is needed to fix usage stats sent via RADIUS Accounting if clients use MOBIKE or e.g. the kernel notifies us about a changed NAT mapping. The upper layers won't expect the stats to get reset if only the IPs have changed (and some kernel interface might actually allow such updates without reset). It also fixes traffic based lifetimes in such situations. Fixes #799.
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-257-5/+15
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* ikev1: Inverse check when applying received KE value during Quick Mode5.3.0rc1Martin Willi2015-03-241-1/+1
| | | | Fixes Quick Mode negotiation when PFS is in use.
* Version bump to 5.3.0rc1Andreas Steffen2015-03-231-1/+1
|
* testing: added tnc/tnccs-20-mutual scenarioAndreas Steffen2015-03-2311-0/+151
|
* Implemented PB-TNC mutual half-duplex protocolAndreas Steffen2015-03-236-35/+143
|
* Optionally announce PB-TNC mutual protocol capabilityAndreas Steffen2015-03-2311-13/+428
|
* Split IF-TNCCS 2.0 protocol processing into separate TNC client and server ↵Andreas Steffen2015-03-239-799/+1746
| | | | handlers
* Merge branch 'dh-checks'Martin Willi2015-03-2334-253/+465
|\ | | | | | | | | Extend the diffie-hellman interface by success return values, and do some basic length checks for DH public values.
| * encoding: Remove DH public value verification from KE payloadMartin Willi2015-03-231-73/+0
| | | | | | | | | | | | | | | | This commit reverts 84738b1a and 2ed5f569. As we have no DH group available in the KE payload for IKEv1, the verification can't work in that stage. Instead, we now verify DH groups in the DH backends, which works for any IKE version or any other purpose.
| * diffie-hellman: Verify public DH values in backendsMartin Willi2015-03-237-1/+107
| |
| * diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-2319-55/+123
| |
| * diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-2323-39/+87
| |
| * libimcv: Allow pts_t.set_peer_public_value() to failMartin Willi2015-03-234-7/+11
| |
| * libimcv: Allow pts_t.get_my_public_value() to failMartin Willi2015-03-234-4/+14
| |
| * encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-235-13/+59
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 01:28:34 +0000